Bug #8492
closedEnable setting PKCS#12 export password in Certificate Manager
0%
Description
Several use cases exist for using an exported keypair as a .p12 archive, but are complicated by pfSense not setting an explicit export passphrase on the archive. Some advice exists to input a single space or arbitrary characters for the export passphrase when prompted at import on clients but this does not work in many cases (it may work in only limited cases for specific import utilities). A workaround exists that requires exporting the key and certificate separately and applying an export passphrase using the openssl command line. This is tedious and runs risk of users leaving unprotected private keys on disk. Devices that appear to require an export passphrase on P12 files are increasingly ubiquitous and it is a reasonable security control. Is it possible to add an export dialog for PKCS#12 that enables a passphase to be added?
Updated by Hyrum Smith over 6 years ago
Running 2.4.3-RELEASE-p1 (amd64). The ability to export a keypair as a PKCS12 package (.p12) without a password is just bad form and should not even be permitted. A PKCS12 package requires encryption and to default to a blank password is very concerning and troublesome, as has been previously outlined.
There is no way to set a password on a regular key export either but the format is not stated so a clear-text key is not unexpected. That is not the case with a .p12 package - encryption & password protection is expected.
This is a real concern for me due to running a VPN Server on pfSense using certificate/key authentication. I use the client packager for distributing the configuration. Providing a proper .p12 package with the configuration file is a secure way to distribute that key, as long as it has an appropriate password. Having to re-encode the .p12 file is just not expected and should be performed when the .p12 file is created.
Possible solutions:- Force a non-blank password in a dialog (preferable)
- Remove the PKCS#12 option
Updated by Hyrum Smith about 5 years ago
Bug #1192 refers to 3DES encryption which should no longer be used. The need to encrypt / protect a private key on export remains the same. From the age of this original bug, I suspect this is never going to happen. It does not affect the operation of PFSense but if the code allows the export of a private key, encrypting it with a password should have been there too.
Updated by Jim Pingle about 5 years ago
The other request mentions 3DES but it isn't about 3DES, it's about encrypting exported private keys, which covers this, too. If you want to drop a note on the other one mentioning PKCS#12 and using stronger encryption, feel free.